dkim

Brevo SPF, DKIM & DMARC Setup: Authenticate Your Domain (formerly Sendinblue)

Brevo authenticates your domain with DKIM, not SPF. On shared IPs the envelope sender stays on Brevo's domain, so SPF does not align to your From address, but Brevo signs mail with your domain and DMARC passes on DKIM alignment alone. This guide covers the brevo_code record, automatic and manual DKIM flows, the Sendinblue rename, the Gmail and Yahoo rules, and how to verify.

Jul 3, 20267 min read

Brevo, the platform formerly known as Sendinblue, authenticates your sending domain with DKIM rather than SPF. For shared-IP sending the envelope sender (the Return-Path) stays on a Brevo domain, so SPF authenticates Brevo, not you. What makes your mail pass DMARC is DKIM: Brevo signs every message with a key published on your domain, that signature aligns with your From address, and DMARC passes on DKIM alignment alone. You add a brevo_code verification record plus the DKIM records Brevo gives you, and you are done.

Reads public DNS only. Nothing is stored unless you save the domain to an account.

This trips people up because most provider guides tell you to edit your SPF record. With Brevo on a shared IP you do not need to, and adding Brevo to your SPF does nothing for alignment. Below is exactly what to publish, why DKIM carries the load, and how the dedicated-IP case differs.

Why Brevo uses DKIM alignment, not SPF

DMARC passes when at least one of two checks both authenticates and aligns. Alignment means the domain that passed the check matches the domain in the visible From header.

SPF checks the envelope sender (MAIL FROM / Return-Path), which is invisible to recipients. On Brevo shared IPs that Return-Path lives on a Brevo-owned domain so it can manage bounces and complaints across thousands of senders. SPF for that Brevo domain passes, but it does not align with your From domain, so it earns you nothing for DMARC. This is normal and expected. See SPF vs DKIM: the difference for the full mechanics.

DKIM works differently. Brevo signs the message body and headers with a private key and sets the signing domain tag to yours: d=yourdomain.com. The verifying server fetches your public key from DNS, confirms the signature, and because d= matches your From domain, DKIM aligns. That single aligned pass is enough for DMARC. This is why Brevo's setup is DKIM-first and SPF-optional.

If you want to see this end to end after setup, read how to read the Authentication-Results header so you can confirm dkim=pass with header.d=yourdomain.com.

Records Brevo asks you to publish

When you add and authenticate a domain in Brevo (Senders, Domains, and IPs, then Domains), Brevo generates the records for you. Confirm the exact values in your Brevo console, because the public key string is unique to your account. You will typically publish:

  • A domain-verification TXT record. Host @ or your root domain, value like brevo_code:1a2b3c4d5e6f. This proves you control the domain.
  • A DKIM TXT record. Host mail._domainkey.yourdomain.com, value k=rsa; p=MIGfMA0GCSqGSIb3DQ... (a long public key). This is the key that lets Brevo sign as your domain.
  • A DMARC record, if you do not already have one. Host _dmarc.yourdomain.com.

A published DKIM record looks like this:

mail._domainkey.yourdomain.com. IN TXT "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC..."

Set the TXT value exactly as Brevo shows it. A single altered or dropped character breaks the signature and DKIM fails. If your DNS host splits long values, keep the full key intact across the split. For the general pattern of DKIM in DNS see how to set up DKIM.

Automatic authentication

If your domain uses a DNS provider Brevo integrates with, Brevo can publish these records for you through an OAuth-style connection. You authorize access, Brevo writes the brevo_code and DKIM entries, and verification usually completes within minutes. This is the fastest path and removes copy-paste mistakes. Use it when offered.

Manual authentication

If Brevo does not integrate with your DNS host, or you keep DNS changes under manual control, you add each record yourself in your registrar or DNS panel. Create the TXT records exactly as listed, save, then return to Brevo and click the verify or authenticate button. DNS changes can take from a few minutes to a couple of hours to propagate depending on your TTL. If verification fails immediately, wait for the TTL to expire and try again rather than re-editing records.

The Sendinblue rename: what carries over

Sendinblue rebranded to Brevo in 2023. The company, platform, and your account are the same. If you authenticated a domain years ago under Sendinblue, those DKIM records generally keep working because the signing key lives on your domain and did not change with the name. You do not need to re-authenticate just because of the rebrand.

That said, if your old setup relied on adding Sendinblue to your SPF record and you never published DKIM, you are not DMARC-aligned and should authenticate properly now. Check your domain in Brevo: if it shows as unauthenticated or DKIM is missing, add the current records. Old help articles that reference "sendinblue.com" hosts may be stale, so trust the values in your live console over anything you find in cached documentation.

Dedicated IP: when SPF does matter

Everything above assumes shared sending. If you buy a Brevo dedicated IP, the picture changes. With a dedicated IP the Return-Path can be set to your own domain, which means you can make SPF align too. In that case Brevo will give you an SPF include to add. A typical SPF record looks like this:

yourdomain.com. IN TXT "v=spf1 include:spf.brevo.com -all"

Publish only the include Brevo specifies, and keep a single SPF record per domain. Merge Brevo's include into your existing SPF rather than creating a second record, and watch your lookup count, because SPF fails permanently past ten DNS lookups. See fix SPF too many DNS lookups if you send through several providers. Even on a dedicated IP, DKIM alignment remains your primary DMARC pass, so do not skip the DKIM records.

Add a DMARC record

DKIM alignment gives you a passing result, but a DMARC record is what tells receivers to report and enforce. Start in monitoring mode:

_dmarc.yourdomain.com. IN TXT "v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com"

p=none collects data without affecting delivery. Once your Brevo mail and any other legitimate senders show aligned passes, tighten to p=quarantine and then p=reject. Walk that path in how to move DMARC from none to reject. If Brevo DKIM aligns but you see failures from another source, confirm alignment for each sender with fix DKIM alignment.

Satisfying the Gmail and Yahoo sender rules

Since February 2024, Gmail and Yahoo require bulk senders (roughly 5,000+ messages a day to their users) to authenticate with SPF or DKIM, keep alignment for at least one, publish a DMARC policy of at least p=none, and support one-click unsubscribe. A correctly authenticated Brevo domain meets these rules: DKIM aligns to your From domain, and your published _dmarc record satisfies the policy requirement. Brevo adds compliant List-Unsubscribe headers to marketing campaigns automatically. Read the full checklist in Google and Yahoo sender requirements. The key takeaway for Brevo users: you do not need SPF alignment to pass, because your aligned DKIM already covers the authentication requirement.

Verify your Brevo setup

Do not trust the green check in Brevo alone. It confirms Brevo can sign, not that DMARC will pass at the receiver. Send a test to a Gmail or Outlook address, open the message, and view the original or headers to confirm dkim=pass header.d=yourdomain.com and a dmarc=pass.

Then run your domain through the checker on this page. It reads your live DNS, confirms the DKIM key resolves and parses, checks your DMARC policy and syntax, and flags whether your From domain will align. If DKIM shows a failure, the most common cause is a truncated or reformatted public key, so re-copy it exactly from Brevo.

Frequently asked questions

Do I need an SPF record for Brevo?

Not for shared sending. Brevo's Return-Path stays on its own domain, so SPF cannot align to your From address anyway, and DMARC passes on aligned DKIM alone. Only add Brevo's SPF include if you use a dedicated IP configured to send from your domain.

Why does SPF fail but my Brevo email still passes DMARC?

Because DMARC needs only one aligned, passing mechanism. Brevo signs with DKIM using your domain, that signature aligns with your From header, and DMARC passes. The unaligned SPF result is expected on shared IPs and does not hurt you.

Are my old Sendinblue DKIM records still valid after the Brevo rename?

Yes. The rebrand did not change your signing key, which lives on your domain. Existing DKIM records keep working. Only re-authenticate if your Brevo console shows the domain as unauthenticated or missing DKIM.

Will Brevo authentication meet the Gmail and Yahoo requirements?

Yes. Aligned DKIM satisfies the authentication and alignment rule, and your published DMARC record (at least p=none) satisfies the policy rule. Brevo also adds one-click unsubscribe to campaigns, covering that requirement for bulk senders.

Check your own domain

Run a free scan and get your grade with the exact records to fix.

Scan a domain

Related guides

Brevo SPF, DKIM & DMARC Setup (formerly Sendinblue)